I, Spybot: NSA Docs Detail Spying In WoW, Second Life

Share this:

I’m not quite ready to declare privacy dead, but it’s reeeeeeeeeallly not doing so well in this day and age. Each racking cough brings up phlegmy handfuls of news about intrusive government and corporate programs – not to mention services that have normalized broadcasting every aspect of our lives on public channels without really considering the consequences. Admittedly, I don’t think it’s all bad (I use Twitter and Facebook all the time; I have no one but myself to blame for that), but many initiatives are absolutely overstepping our boundaries and rights. The NSA, especially, has hit a rather frightening point-of-no-return, and unsurprisingly, it’s taken to snooping around inside games on top of, you know, pretty much everything else.

Snowden-disclosed documents published in partnership by The Guardian, The New York Times, and ProPublica suggest that the NSA and its UK sister agency the GCHQ have made a concerted effort to infiltrate and track possible terrorist activities through various online games for years.

The documents, written way back in 2008 (the program, in other words, could’ve grown, shrank, or changed quite markedly since then), pinpoints Xbox Live as its biggest target, with mass collection techniques tailor-made to sift through its massive web of racist 14-year-olds/probable terrorists.

World of Warcraft and Second Life, meanwhile, were infiltrated by individual agents hoping to find informants or evidence of illicit communication via in-game channels, and WoW was eventually subject to metadata-gathering “exploitation modules,” according to The Guardian’s report. The NSA and GCHQ feared that targets could use games like those to essentially “hide in plain sight.” The government document further argued in favor of more in-depth surveillance techniques for those games, given that both include private messages, voice chat, and even anonymous communication in the case of Second Life. Moreover, Second Life was singled out for its “essentially unregulated” economy, which could facilitate money transfer and, for some reason, “will almost certainly… be used for terrorist propaganda and recruitment.”

It’s unclear, however, what actually occurred beyond that. How much data did these agencies ultimately get their hands on? And who did they end up monitoring? Were innocent people casualties of The Hunt, as they often are? The documents signaled intent and creation of tools, but little in the way of specifics like how, where from, and on what scale. However, a handful of examples seem to indicate that this was less a piggy-toe-first approach and more of a cannon ball. For instance, British intelligence officers pulled 176,677 lines of data in one case, including communications.

Microsoft and Blizzard have claimed ignorance in response, while Linden Labs declined to comment. “We are unaware of any surveillance taking place,” a Blizzard rep told The Guardian. “If it was, it would have been done without our knowledge or permission.” Microsoft’s response to Polygon was virtually identical: “We’re not aware of any surveillance activity. If it has occurred as reported, it certainly wasn’t done with our consent.”

Most upsettingly, the reports allege that government officials never had much success proving that this was even a worthwhile pursuit in the first place, and the intelligence experts interviewed for the reports claimed they were not aware of any counter-terrorism successes stemming from these programs. The documents claim games have produced a few usable pieces of intelligence, but not much beyond that.

And yet, they persisted. That might be the most troubling part of all in a story whose every word fills my gut with bilious unease. But hey, on the upside, any agency that truly believes Second Life to be a dominant cultural force can’t be too much of a threat. Oh, but NSA and GCHQ, do dispatch a few squads into Counter-Strike. I hear there’s all kinds of terrorism going on over there.

Surely they were identifying terrorists using more proven methods and tracking them online, as well as the people they spoke to. I mean, if I found out that I had been monitored and it was because I had been in direct contact with a dodgy person, I would not feel like my privacy had been violated. If I found out I had been monitored just randomly, well then, that is a problem but more to the point, surely they don’t have the resources to make that an effective approach?

Except if you actually read the other articles and source material, you see that their agents were bungling into each other and spying on other agents without realizing it so often they had to restructure things.

So no, they were quite literally bungling around searching for suspicious individuals in game while playing.

I am now imagining them with SL avatars of Guys Sitting Inconspicously Reading Newspapers, various Mobile Shrubberies, and in one case an oversized pot-plant with eyeholes, all shuffling around trying not to be seen.

One has to assume there was at least some element of that going on. “I think some of that guild’s members’ names look a bit dodgy, I should try and join them on Naxx 25 next week, better spend all weekend grinding heroics for gear and then I’ll RP with their GM in the tavern on monday night”

With how much of the surveillance state being private contractors engaged in these tedious, fruitless activities, you have to think there’s a lot of abuse like that. I mean, even if it didn’t start off that way, how seriously could you expect some 20-30 something employees to take patrolling WoW for terrorist activity?

You have to imagine that’s a job they fill the break room with snark about, and go home to either whine to their significant others about or hide the truth of to save face.

I often find it oh so amusing the more you know about how the Intelligence Community (they like oxymorons) the more The Man Who Was Thursday stops reading like a humor and more like barely disguised facts.

Speaking as someone who definitely =has= been monitored (for several years I was routinely taken off airplanes, detained for hours without explanation, and had DHS agents reveal that they knew a great deal about my personal life) I can tell you that the criteria they apply for spying on people isn’t stringent enough, and there isn’t enough oversight or transparency. My ‘crime’ – being married to a senior PR person from a prominent charity. Admittedly, she had a felony assault conviction… for throwing a custard pie at a press conference in 1995 or thereabouts.

The correct incantation to summon Our Lord and Custard involves copious tea consumption, ceaseless tweeting, and the sacrifice of a bearded daily mail reader whose body he will inhabit for the duration of the ritual (Bearded for comfort, DM reader so he doesn’t feel bad about it)

Lord Smingleigh has departed on an extended holiday as of the afternoon of December the 9th. All inquiries involving police, beauty, Texas, or allegations of his connection to custard pie manufactories in India should be referred to this picture of a robot boot stomping on a human face, forever.

In regards to the criteria for watching people not being stringent enough, I have to agree with you. I’m a former police officer, and it’s kind of a routine thing to pull up to a light and run the tags of everyone there. I was quite amazed at the fact that almost every time there was usually one person who was listed as being on a terrorist watch list. That’s an awfully huge (and I would imagine, inefficient) dragnet. Granted, this could also be skewed based on the county I worked in at the time.

As an aside, I can also pretty much guarantee that every light you pull up to will have at least one person who has had a DUI. Often it’ll be 2 or 3, so how in the world they’re still allowed to drive is beyond me.

Would’ve been more of a surprise if they weren’t monitoring these networks. You can send detailed chat messages, so it would be a no brainer to hop on barrens chat to plan your trip or whatever if you thought you could do that without being observed. The lengths these guys supposedly go to to avoid detection are staggering, eg taking it in turns to type into a word document and erase the last guy’s sentence, etc.

Full disclosure: no, I don’t think surveillance culture is a good thing overall, and yes I do think the authorities are routinely overstepping their remit now, particularly the USA, but we’ve got some troubling legislation on the burner here too.

Especially as individual actors can always come up with novel ways to communicate securely. It’s similar to how DRM only punishes non-pirates; snooper legislation simply means a lot of spying on innocent people, while pretty much anyone with a brain who wants to stay ahead of the spies will have the tools to do so.

The silliness of all of this is relying on an external client built by a third party that you have no control over. There are incredibly basic instructions that I’ve seen online that allow you to create a Dropbox-like server that is heavily encrypted and can synchronize documents. Using that and a few other encryption/decryption tools would, in my opinion, be a far more likely scenario than “let’s hop on WoW and plan our next move”.

Terrorists generally are smarter, better educated, and have more specialized skills than their peers, according to pretty much every study I’ve ever seen. These conflicts are not born of dumb people who can’t figure out what to do with their free time, it’s slightly more complicated than fox would have you believe.

Better-educated than their peers, sure. That’s not saying much, though. I’m in the “if we fed, clothed, and educated these people, or the people they pretend to represent, we’d neutralise the problem more effectively than armed response can” camp. Not the “these people are all idiots” fox news camp.

“All major transport hubs, tourist destinations, and large public areas were shut down today as intelligence agencies uncovered multiple, co-ordinated international conspiracies to plant bombs at ‘as yet unidentified’ locations. Codenamed ‘A’ and ‘B’, investigations as to their true location are still ongoing, the agencies say.”

“Allegedly, there are so called ‘Counter-Terrorists’ already at the scene trying to prevent destruction, though Government has made it clear that those are not their own forces. Who exactly those people are, how they got access to military weaponry and most importantly, how they obtained their intel about the terrorists’ plans and whereabouts remains unknown. We can only – wait, this just in: NSA reports a captured radio message saying ‘terrorists win’. I… May god have mercy on us”

You know I would be ok with surveillance in most of these cases if elected officials and companies would just stop lying about it. They should be punished for not disclosing. A little accountability goes a long way.

“So guys, hear me out here. This may sound silly, but I think there might be terrorists playing World of Warcraft! But don’t worry, I am willing to sacrifice myself to sniff them out! All I need is a paid for subscription, gallons of Mountain Dew and some help getting the best gear in the game.

If I were a NSA agent I did be all like: “Hey boss! This lesbian couple right here look like terrorists, but we need full surveillance to be sure so I’m requesting 24 hidden HD video cameras to be planted inside their residence asap.”

“We believe the subject has been plotting to destroy a designated landmark, but based on his history, it’s likely he’ll abandon the plan at the last minute and futilely attack while shouting: Leeroy Jenkins!“

If you don’t want to wait for Rab to hammer out one of his brilliant, brilliant paragraphs, I can give you the essence:

It’s tacky, horny, stupid and terrible. It is the mind of human pop culture exposed in its raw, hydraelike form. It is every crappy, tacky thing we love for those exact reasons condensed into a mad world where the only sense is what humans imagine. It is beautiful.

It’s a bit naive to say “why spy on 14-year-olds” when reality is that someone who’s conspiring to do something might just think

“Hey – if we talk on XBOX Live, no-one will be listening – it’s just full of kids!!”

Governments are instruments of control – modern communications ofters them unprecedented levels of access to what people are saying and doing so if you thought they’d not use it – you’re dumber than cheese.

The irony is – therefore – that the only people they’ve going to catch, are dumber than cheese – but history shows that even those people can wreak havoc (indeed, to think that blowing-shit-up solves anything probably qualified as ‘dumber than people dumber than cheese’)

The core issue with all these ‘revelations’ (which, let’s be honest, aren’t a surprise at all) isn’t that this stuff happens – it’s the degree to which the people doing-it think it’s all completely legal and how much time and money they’re spending doing it with no apparent result.

If we’d spent that money on worthwhile things – like nutrition, health and education – there would be fewer people worth spying on…

How about that:
“we’ll pass you 2MB encryption keys on a pendrive and this simple application in here to encrypt all the correspondence. 2-3 days of training and you’ll be more than capable of using it in uber-secure way. NSA will look on open channels, but there’s still tons of data that can be easily passed between people and look like a noise for NSA.”

If you think terrorists are stupid enough to use games or Skype for communications – you are more naive than idiots in NSA. At least they use their job for entertainment.

“modern communications ofters them unprecedented levels of access to what people are saying and doing so if you thought they’d not use it” – they also offer unprecedented levels of secrecy in communication. And there are thousands of people capable of exchanging data between each other in unimaginable level of secrecy and obscurity – all being done live with NSA looking for places where nothing really happens.
Only area where such spying might work is in detection of recruitment – but that’s pointless once you realize that (nearly) all of the successful attacks were done by people recruited outside of the internet.

Did you read the articles which said that the NSA has – effectively – defeated all forms of encryption worth knowing about?

Some people believe they may even have solved the problem of how to factorisise quickly – which would certainly mean they can read almost anything they want to (and that a major scientific breakthrough has been made and kept secret which would be quite a think in itself)

Right now, using encryption is only raising a flag saying “I’m saying something worth hearing” – right now you’re better off talking normally in a room full of other people.

“Did you read the articles which said that the NSA has – effectively – defeated all forms of encryption worth knowing about? ” – yea, read that. Got a friend who sits in encryption community and he calls that BS made to scare people away from encryption tools. Simply because right now it’s the only thing that NSA haven’t penetrated yet, and pretty much can’t fully break it because of how these algorithms work (you need to break them on case-by-case basics and it takes dozens of years for supercomputers to break them if they were used in a correct way). Sure – they got some of weaker algorithms off, like RSA, or got backdoors in few applications, but these are just rare exceptions.

NSA makes an enormous anti-encryption campaign right now, full of black PR to scare people off. Seems like it pays off if you believed in that.

Except that the only suggestion they’ve broken this stuff came from leaks and not from them – I’d be less interested if they’d been shouting about how they could break encryption (in the same way they shout about how their bombs can break bunkers etc. etc.)

Military types aren’t shy about telling you how long their todger is…

Do I think they can read all encypted messages? NO

Do I think they will try harder the more you use them? HELL YES

So, again, it’s easier, cheaper and safer just to talk quietly in a noisy place – and where noisier than XBOX Live or WoW? :)

Actually breaking (good) crypto is kind of a brute force and ignorance approach, too, when in many cases they can just working around it. For example, rather than trying to break the TLS tunnel between me and Google, just hit Google with legal demands to hand over my e-mail (and gag them from informing anyone that they did so).

And in the UK remember that we have the delightful RIPA with its “hand over the encryption keys or we’ll assume guilt” approach.

Let’s assume that you aren’t dumber than cheese. I assume so, because you seem to look down at people who are.

That would mean that for decades now you’ve been looking at all the people using the internet thinking “Governments everywhere are rifling through these guys private lives and they know nothing. Better not talk about it or help them encrypt their stuff.”. So you aren’t stupid, you’re just indifferent. The great Sherlock Holmes deduces that incredible power is in the hands of shadow figures unknown and he just sits back and plays the fiddle?

trjp – noise doesn’t help much. Noone reads all of these messages. Computers simply parse data in chats / run voice recognition on voice chats. For them it doesn’t matter if there are 10 or 10 000 messages. That’s why encryption always wins over security by obscurity. And that’s why NSA does what it can to discourage people from using something else than open channels.

“Except that the only suggestion they’ve broken this stuff came from leaks and not from them” – and why would they give away such information? You do realize that we talk here about No Such Agency? The only info we have comes from leaks by former employees and people seeking justice over NSAs fat arse interest.

“Did you read the articles which said that the NSA has – effectively – defeated all forms of encryption worth knowing about? ” – yea, read that. Got a friend who sits in encryption community and he calls that BS made to scare people away from encryption tools.
Neither of those is particularly convincing arguments. On one hand the NSA creating false leaks to obfusticate it’s capabilities is just the kind of thing they’d do. On the other hand, the NSA keeping secrets about their abilities is just the kind of thing they’d do.

To me, the latter seems more likely (the former relies too much on people both knowing about and believing the bluff), but rumours aren’t even close to proof.

Even OTP ? Woot , those guy at the NSA are so great. Are they using magic pixie dust ?

Beside one time pad, even for symmetric and non symmetric algorithmI am very doubtful that the NSA defeated any of the latest algorithm. They might have injected code to make specific program or package weaker (like for example weakness in the RND), but defeating the algorithm is waaaay different.

I feel that the situation with Internet spying is really getting out of hand. It’s like the McCarthy era, only with a new coat of paint – everyone still runs around screaming in terror pretty much the same way, only now instead of “communists!” it’s “terrorists!”. And the spying is not even for an obvious reason like rooting out thought criminals or the like – it’s to catch people who might possibly perhaps maybe be up to something. At the very least, the taxpayers shouldn’t be paying for some agency spying on their day-to-day activities hoping to find something that isn’t there.

I’ll admit that I know next to nothing about the McCarthy’s witch hunt for “them dirty commies”, but from what I do know, I think most people back then also “minded their own business” and not gave two shits about the state’s paranoid hunt for miscreants endangering “national security”.

Oh it wasn’t like that at-all – you had a state-funded witch-hunt rewarding people for shopping their friends and family and – of course – anyone they had the slightest dislike of (and minimal proof was required to tarnish someone)

It extended so-far into American life that it dictated who appeared in films and on TV and who got the best jobs – it wasn’t quite what was achieved in East Germany but in some ways it was worse because it was the same concept with the same reach and the same “inclusivity” but implemented in what APPEARED to be a ‘free’ society.

It’s the single best example of how 1 person in the right place with the right message can gain unrivalled power – you can make all the smart arguments you like but it’s much quicker just to undermine your opponents…

Hah! They can go through my files all day long — I have nothing to hide. All they might find is that I like to look at some classy porn; maybe also that I’m a computer expert with a background in chemistry; that I have an avid interest in explosives and that I work for the European Organization for Nuclear Research… Wait, shit.

“They can go through my files all day long — I have nothing to hide.” – can they stream your sex life in the internet too? Or do you have something to hide? Zoophilia perhaps? NSA never knows.
And now that you go into the airport – voluntarily go for full body check – cause after all: you have nothing to hide. Not even in your bottom, right?

Streaming sex life, body checks — such puritan fears. I really would not mind, to be honest. I would be more concerned about ending up on a no-fly list for some stupid reason or, worse, arrested without trial like Byron Sonne.

You know, someone living in the Uk, or the USA, might at least console themselves saying that it was “for their own safety”, so one of their rights has been affected to benefit another one, it’s almost acceptable.
But I live outside of the Anglosphere, I have absolutely NO warranties from all this. Unless I accept the sovereignty of a foreign nation as my own, this is pretty much an act of international espionage, and if it MAYBE rests within the boundaries of the United States’ constitution, it sure as hell doesn’t sit well with all the rest of Western Europe’s constitutions (to mention a few). And my country is still in NATO and all, I wonder how the Chinese, the Brazillians or Moroccan must feel.

Sort of a moot point when the Chinese government has throngs of hackers working on that very problem and multiple NATO countries have been caught acquiescing to NSA and CIA requests to spy on their own citizens.

“Any society that would give up a little liberty to gain a little security will deserve neither and lose both.”

Benjamin Franklin is thought to have said that. Frankly, I don’t agree. I believe that security is the heart of a state and liberty is the areas to which it does not extend. I have no problem trading the liberty of killling who I want with the security that I won’t get killed by someone with that same freedom. I just believe that the exchange rate of lately has gotten so damn low that I might like some of that liberty back, please.

And that’s when you discover that the government has put up a sign that says “No refunds and we’re also signing you up for these deals here.”.

I thought about whether it might be viable to have a clandestine meeting in an MMO a while ago. I decided that sharing secrets and having them recorded in a well formatted, date stamped, searchable chat log by a private corporation who can be easily subpoenaed (if they still perform that quaint, old fashioned ‘following the law’ thing these days) might not be the best idea for staying secure.

I would assume most enemies of the state would come to the same conclusions.

My short experience with second life (a year or two after it started) ended after a linden and a friend of his bragged about stealing from people’s in game bank accounts (I think they were atms, he was using his accsess to pull passwords transmitted to the kiosks.) next to my afk avatar. I turned In the chatlog and received a permaban. I have no idea what goes on in SL, but I would imagine any investigation not targeting the owners and employees isn’t going to yield very much.

I don’t see the big deal here. It would be different if there was any expectation of privacy in these games but we all know everything we do in thesew games is already logged. There is no expectation of privacy in the public chat of a CoD game on xbox live etc…

It would be like going to the food court in the mall and planning a robbery. There is no expectation of privacy therefore its is not a violation of our rights. That doesn’t mean I don’t think its a waste of resourses but the argument that they are violating our rights here is silly.

I have no inside knowledge of these operations. I can tell you beyond a shadow of a doubt that people looking to hide illegal activities internationally will take the easy route to do so, and the people hunting them will follow. What you’d be looking for is coded or clear chat logs, mostly. Kind of like people use the same gmail or yahoo mail account to write draft messages, then the other person logs in reads and deletes.

The entire story is blown out of all proportion by a media hungry for controversy and titillating sensation to make you (and I) click on a story. These are likely barely programs targeting a game, it’s just an analyst/case officer using commercial software to follow his target and trying to find probable cause for a warrant, or a way to get the info w/o a warrant without breaking a law, or too many, in the process. But feel to be outraged and get angry and call your congressperson.